Skip to content

Commit

Permalink
Revert "Release fixes to main (#251)"
Browse files Browse the repository at this point in the history
This reverts commit d5230f5.
  • Loading branch information
piyushroshan authored May 20, 2024
1 parent d5230f5 commit d52109b
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 20 deletions.
2 changes: 0 additions & 2 deletions deploy/docker/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,6 @@ services:
condition: service_healthy
mongodb:
condition: service_healthy
mailhog:
condition: service_healthy
healthcheck:
test: /app/health.sh
interval: 15s
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -76,9 +76,6 @@ protected void doFilterInternal(
response.sendError(
HttpServletResponse.SC_UNAUTHORIZED, UserMessage.ACCOUNT_LOCKED_MESSAGE);
}
} else {
tokenLogger.error(UserMessage.INVALID_CREDENTIALS);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, UserMessage.INVALID_CREDENTIALS);
}
} catch (Exception e) {
tokenLogger.error("Can NOT set user authentication -> Message:%d", e);
Expand Down Expand Up @@ -125,13 +122,10 @@ public String getUserFromToken(HttpServletRequest request) throws ParseException
String username = null;
if (token != null) {
if (apiType == ApiType.APIKEY) {
logger.debug("Token is api token");
username = tokenProvider.getUserNameFromApiToken(token);
} else {
logger.debug("Token is jwt token");
if (tokenProvider.validateJwtToken(token)) {
username = tokenProvider.getUserNameFromJwtToken(token);
}
tokenProvider.validateJwtToken(token);
username = tokenProvider.getUserNameFromJwtToken(token);
}
// checking username from token
if (username != null) return username;
Expand Down
19 changes: 9 additions & 10 deletions services/identity/src/main/java/com/crapi/config/JwtProvider.java
Original file line number Diff line number Diff line change
Expand Up @@ -175,26 +175,25 @@ public boolean validateJwtToken(String authToken) {
SignedJWT signedJWT = SignedJWT.parse(authToken);
JWSHeader header = signedJWT.getHeader();
Algorithm alg = header.getAlgorithm();
boolean valid = false;

// JWT Algorithm confusion vulnerability
logger.debug("Algorithm: " + alg.getName());
JWSVerifier verifier;
logger.info("Algorithm: " + alg.getName());
if (Objects.equals(alg.getName(), "HS256")) {
String secret = getJwtSecret(header);
logger.debug("JWT Secret: " + secret);
verifier = new MACVerifier(secret.getBytes(StandardCharsets.UTF_8));
logger.info("JWT Secret: " + secret);
JWSVerifier verifier = new MACVerifier(secret.getBytes(StandardCharsets.UTF_8));
return signedJWT.verify(verifier);
} else {
RSAKey verificationKey = getKeyFromJkuHeader(header);
JWSVerifier verifier;
if (verificationKey == null) {
logger.debug("Key from JWKS: " + this.publicRSAKey.toJSONString());
verifier = new RSASSAVerifier(this.publicRSAKey);
} else {
logger.debug("Key from JKU: " + verificationKey.toJSONString());
logger.info("Key from JKU: " + verificationKey.toJSONString());
verifier = new RSASSAVerifier(verificationKey);
}
valid = signedJWT.verify(verifier);
logger.info("JWT valid?: " + valid);
return valid;

return signedJWT.verify(verifier);
}

} catch (ParseException e) {
Expand Down

0 comments on commit d52109b

Please sign in to comment.